As posted on The n-Category Café about the NSA weakening cryptography in great detail, this quote sticks out.
The NSA’s 2013 budget request asked for funding to “insert vulnerabilities into commercial encryption systems”. Many people now know the story of the Dual Elliptic Curve pseudorandom number generator, used for online encryption, which the NSA aggressively and successfully pushed to become the industry standard, and which has weaknesses that are widely agreed by experts to be a back door. Reuters reported last year that the NSA arranged a secret $10 million contract with the influential American security company RSA (yes, that RSA), who became the most important distributor of that compromised algorithm.
The idea that security firms are taking money to perpetrate this kind of fraud, and unethical behavior, is disturbing and shows greed overcomes most common sense. The ability of the NSA to protect people is important but not at the cost of every bit of freedom and in this case security for the sake of security. The n-Category Café's writeup exposes just how pervasive it is. The NSA's reach is right down to the levels that no form of communication will be beyond the NSA's ability to read or take control of for their uses even if you are not a suspect. That reach is disturbing in a very primal way.
As stated on Schneier on Security way back in November 15, 2007 the NSA security holes run deep and now years later are still looming.
Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants -- and has the secret numbers. We don't know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does.
We don't know where the constants came from in the first place. We only know that whoever came up with them could have the key to this backdoor. And we know there's no way for NIST -- or anyone else -- to prove otherwise.
This is scary stuff indeed.
Even if no one knows the secret numbers, the fact that the backdoor is present makes Dual_EC_DRBG very fragile. If someone were to solve just one instance of the algorithm's elliptic-curve problem, he would effectively have the keys to the kingdom. He could then use it for whatever nefarious purpose he wanted. Or he could publish his result, and render every implementation of the random-number generator completely insecure.
Bitcoin and most cryptocurrencies are based on open source code so that we can compile our wallets, and check to make sure that nothing has been stealthily added. We have the blockchain that miners verify and nodes publicly share. Our private keys are separate from our public keys and cracking that the security layer between the two is right now very difficult. We can use many forms of open source encryption for our wallets as well. All of these things also mean we should not be complacent.
With online security being a cornerstone of so much of what is done in the digital realm, holes that are purposely made or left are unacceptable. The NSA is supposed to protect people not expose them to more danger. Back doors are not walls they have keys. Keys through which the risk of identity theft, credit card theft, personal information that is irrelevant to others and inane yet something you want private none the less can be exposed. How many of the data thefts we have seen in the news from retailers and banking systems could have been due to the NSA having requested back doors left open? Could these holes have caused the weakness in the rest of the software? Could the heartbleed and windows bugs be part of a bigger problem of not just sloppy code writing but more? Probably not but with the information that the NSA and who knows what foreign agencies are all trying to access your data is frightening. That the NSA is doing it through the very security applications meant to protect us by directly interfering leaves many questions and fears. The fact that the companies that make these security applications go along with it is even worse. Even Samsung's much awaited Knox security protocol for their mobile phone line still has glaring holes and shortcomings that should not ever have been left such as storing PINs in plain text.
Bitcoin is an all digital currency. Wouldn't it be great if we could protect the rest of our online data in the same manner we do our Bitcoin. The private key of your digital life with a public key without worrying that some governments were able to get at them.
I'm all for working to protect people, but not by exposing them to more risk and taking away even more freedoms and every tiny bit of privacy. All it takes is some disgruntled NSA employee to hand over those keys or exploits, and the data breaches we have seen recently will be trivial by comparison.
What do you think? Comment below!
Images from Wikimedia Commons and Shutterstock.